If a product is placed on the EU market before 11 December 2027 and is subject to a substantial modification after that date, it must satisfy all the rules of the Cyber Resilience Act (CRA) from the modification date onwards (Article 69.2). If we scrutinise this article, we detect its vulnerabilities. The definition of substantial modification is circular and hence largely void. Article 69.2 might even violate our constitutional right that law must not be applied retroactively.
Transitional Provisions of the Cyber Resilience Act
The CRA fully applies to all products placed on the EU market on 11 December 2027 or later (Article 71.2). Article 69.2 attempts to force products placed on the market before 11 December 2027 – pre-2028 products, for short – under the full control of the CRA.
[Products] that have been placed on the market before 11 December 2027 shall be subject to the requirements set out in this Regulation only if, from that date, those products are subject to a substantial modification.
CRA Article 69.2
As we want to find a way how to avoid the CRA, we inverse the logic of Article 69.2. Products placed on the market before 11 December 2027 do not have to comply with the CRA, if they are not substantially modified after that date. Here is a diagram from my CRA Survival Training illustrating the situation.
We define a major update as an update with a substantial modification. A major update typically introduces functional, performance or architectural changes. Hardly surprising, we define a minor update as an update without a substantial modification. Updates with security or bug fixes fall in this category.
Let us look at the top row of the diagram first – at the situation we are trying to avoid. Our product is placed on the market before 11 December 2027. It receives three minor updates after 11 December 2027. So far, the CRA does not apply. The fourth update is a major update. From the date of the fourth update onwards, the CRA fully applies to the product. We must perform a conformity assessment of the essential requirements related to product properties (Annex I.I) and vulnerability handling (Annex I.II), draw up the technical documentation (Annex VII) and the EU declaration of conformity (Annex V or Annex VI), and affix the CE marking to the product. That’s a lot of work!
The bottom row illustrates our preferred situation – avoiding the CRA. Again, our product is placed on the market before 11 December 2027. However, it never receives a major update after that date. Hence, the CRA never applies to this product.
We can keep existing products away from the CRA, if they never receive a major update, that is, if we never modify them substantially. Is this realistic, say, for the next 10 years? No, it isn’t, because we want to improve our products. But wait! For once, we can have our cake and eat it, as the authors of the CRA have bungled the definition of a substantial modification.
Circular Definition of Substantial Modification
We have placed products on the market before 11 December 2027. We want to find a way to substantially modify our products after that date – but without having to satisfy the CRA.
‘substantial modification’ means a change to the [product] following its placing on the market,
- which results in a modification to the intended purpose for which the [product] has been assessed or
- which affects the compliance of the [product] with the essential cybersecurity requirements set out in Part I of Annex I;
CRA Article 3.30 (structure and emphasis mine)
We must only consider modifications to products that have already been placed on the market. The intended purpose (Article 3.23) describes for what the end product is used. For example, a farmer uses a forage harvester to chop maize. The intended purpose changes, if the farmer buys front implements to cut grass or to pick up grass. The intended purpose predates the CRA and can easily be determined by looking at user manuals, documentation, sales material or product announcements.
Affecting the compliance of the essential product requirements (Annex I.I) means that the modification increases the risk of violating these requirements. Section 2.1 Product coverage – Software in the Blue Guide confirms that a product is substantially modified, if “the level of risk has increased because of the software update”.
The crucial question is: How can we determine that the risk has increased? Actually, we can’t! We have no obligation to perform a risk assessment before 11 December 2027. Hence, a comparison of the risk before and after a modification is not possible. We cannot decide whether a modification is substantial.
To check whether the CRA applies to a product after a modification, we must retroactively apply the CRA to a product that was placed on the market before the CRA was even applicable. From a logical point of view, this is a circular definition and hence void. This allows us to simplify Article 69.2.
[Products] that have been placed on the market before 11 December 2027 shall be subject to the requirements set out in this Regulation only if, from that date, those products are subject to a modification of the intended purpose.
Simplified Article 69.2
Conversely, the CRA only applies to pre-2028 products, if their intended purpose changes from 2028 onwards. This is our first attack vector to keep our pre-2028 products out of the reach of the CRA. And we can do even better.
CRA Might Violate the Non-Retroactivity of Law
Article 69.2 is a blatant attempt to force as many pre-2028 products as possible under the CRA retroactively. This could violate the constitutional right of non-retroactivity of law derived from the more general right of legal certainty. These rights are enshrined in the constitutions of most EU countries and in many EU treaties. We can, for example, find legal certainty in article 20(3) and non-retroactivity in article 103(2) of the German constitution. Non-retroactivity is the inverse of legal certainty.
- Legal certainty: What is lawful now, cannot be unlawful in the future.
- Non-retroactivity: Law must not apply retroactively.
Constitutional rights take precedence over EU legislation like the CRA. It is extremely unlikely that a bungled concept like substantial modification can override constitutional rights. Recital 39 gives an example for a substantial modification. Not validating a user input in an input field could be considered a substantial modification and could force a pre-2028 product under the CRA retroactively. This is absurd!
As the CRA is a substantial modification to existing legislation, it must strike the right balance between non-retroactivity and heavily tightened rules for cyber security. The Blue Guide acknowledges these conflicting forces. It reiterates the principle of legal certainty.
The product must comply with the legal requirements that were in place at the time of its placing on the market (or putting into service).
Blue Guide, 2.1 Product coverage
The Blue Guide is well aware that legislators must not force the CRA onto manufacturers overnight, as the CRA fundamentally changes how manufacturers will do business. Similar to courts, the Blue Guide mandates a transition period to guarantee legal certainty.
The aim of the transitional period is to allow manufacturers […] to adjust gradually to the conformity assessment procedures and the essential or other legal requirements set up by a new or a revised piece of legislation, and, thus, to avert the risk of blocking production. Further, manufacturers […] need to be given time to exercise any rights they have acquired under any pre-existing, national or EU rules […]
Blue Guide, 2.10 Transitional periods in the case of new or revised EU rules; (emphasis mine)
This is why the CRA introduces a 3-year transitional period from 11 December 2024 to 10 December 2027. Courts will decide whether three years are long enough.
The Blue Guide gives some direction when it is OK to limit manufacturers in “[exercising] any rights they have acquired under any pre-existing, national or EU rules”. It specifies when it is OK to limit the non-retroactivity principle.
[BG-Limit-1:] After the transitional period, products manufactured before or during this period, in line with the legislation to be repealed, may no longer be placed on the market.
[BG-Limit-2:] A product, which is placed on the market before the end of the transitional period, should be allowed to be made available on the market or put into service.
[BG-Limit-3:] Nevertheless, specific Union harmonisation legislation could forbid the making available of such products if this is deemed necessary for safety reasons or other objectives of the legislation.
Blue Guide, 2.10 Transitional periods in the case of new or revised EU rules; (structure and emphasis mine)
The CRA codifies BG-Limit-1 in Article 71.2: Products placed on the market after the transition period must fully comply with the CRA.
As we know by now, the CRA implements BG-Limit-2 and parts of BG-Limit 3 in Article 69.2: Products placed on the market before or during the transition period and subject to substantial modifications after that date must fully comply with the CRA.
A substantial modification is an example of limiting non-retroactivity by “other objectives of the legislation” from BG-Limit-3. According to BG-Limit-3 it is OK that the CRA justifies the restriction of legal certainty with the objectives of the CRA. The CRA justifies the restriction of legal certainty with itself. Substantial modification is not grave enough to counterbalance legal certainty. Company lawyers and courts would have a field day with such a flimsy argument!
What would be a grave enough justification to limit non-retroactivity? Well, the Blue Guide gives a justification in BG-Limit-3 that every court would accept without hesitation. The risk to the health or safety of people always takes precedence over non-retroactivity. It is much more important than CRA’s badly defined substantial modification.
Non-retroactivity is the second attack vector against Article 69.2. Arguing with the violation of constitutional rights is our strongest available attack vector. We should stand a fairly good chance to keep pre-2028 products out of the reach of the CRA, even if we change our products significantly from 2028 onwards. We can make our argument even stronger by adding the first attack vector of the largely void definition of substantial modification.
Hardening Article 69.2 Against Legal Charges
So far, we have only tried to find out how to avoid the consequences of Article 69.2 for pre-2028 products. We will now think in the opposite direction. Our goal is to revise Article 69.2 so that its meaning is clear and so that it affects only a few critical pre-2028 products.
The conditions of Article 57 could be a good model for revising Article 69.2. If one of these conditions holds, market surveillance authorities are allowed to remove CRA-compliant (!) products from the market or to mandate the compliance with essential requirements going beyond the CRA. The conditions are threats against the health or safety of persons, against constitutional rights or against critical infrastructure. We can reuse the conditions of Article 57 unchanged in Article 69.2.
Products with digital elements that have been placed on the market before 11 December 2027 shall be subject to the requirements of this Regulation only if, after that date, they pose a risk to
- the health or safety of persons;
- the compliance with obligations under Union or national law intended to protect fundamental rights;
- the availability, authenticity, integrity or confidentiality of services offered using an electronic information system by essential entities as referred to in Article 3(1) of Directive (EU) 2022/2555; or
- other aspects of public interest protection.
Revised Article 69.2
Directive (EU) 2022/2555 is better known as the NIS2 directive governing the security of critical infrastructure. Examples for essential entities are energy suppliers, transport operators, banks, healthcare providers and public administration.
The four conditions from the revised Article 69.2 are defined in numerous legislations and court decisions outside the CRA. Unlike the flimsy definition of substantial modification, they have enough weight to counterbalance non-retroactivity. Applying any of these conditions diligently will almost certainly stand in court.
The best things about the revised Article 69.2 would be that only a few pre-2028 products would be forced under the CRA from 2028 onwards. This would give manufacturers the necessary legal certainty about the CRA. Interestingly, Article 26.2.d requires the European Commission (EC) to clarify the concept of substantial modification. The date is unfortunately unclear. This clarification is badly needed.
Conclusion
I showed two ways how we could keep products, which we placed on the market before 11 December 2027, out of the reach of the CRA, even if we substantially modify these products from 2028 onwards. This would be a way to work around Article 69.2.
- The definition of substantial modification is circular and hence largely void. We could only evaluate whether the risk for violating the essential product requirements increased because of a modification after 11 December 2027, if we knew the risk before that date. However, we have no obligation to assess the risk of products placed on the market before 11 December 2027.
- Substantial modification is not an important enough reason to apply the CRA retroactively to products that are not subject to the CRA, as they were placed on the market before 11 December 2027. This could be a violation of the constitutional rights of non-retroactivity of law and legal certainty. The CRA would have to provide a more important reason like the danger to the health or safety of persons to counterbalance the non-retroactivity of law.
I cannot guarantee that these two arguments work. Nevertheless, I am pretty sure that they are worth exploring with a lawyer to avoid a sales ban or heavy penalties for your products in 2028.
In the section Hardening Article 69.2 Against Legal Charges, I give a revised version of Article 69.2. This version should withstand the two attack vectors sketched above. And bonus, it forces only a few pre-2028 products with significant risks under the CRA. Article 26.2.d compels the European Commission (EC) to clarify the concept of substantial modification. However, it is unclear by when.